> When the deafult SunX509KeyManagerImpl is being used we are in violation of > TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent > to us in "signature_algorithms"/"signature_algorithms_cert" extensions: > https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2 > https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3 > > X509KeyManagerImpl on the other hand includes the algorithms sent by the peer > in "signature_algorithms_cert" extension (or in "signature_algorithms" > extension when "signature_algorithms_cert" extension isn't present) in the > algorithm constraints being checked.
Artur Barashev has updated the pull request incrementally with one additional commit since the last revision: Add PeerConstraintsCheck unit test ------------- Changes: - all: https://git.openjdk.org/jdk/pull/25016/files - new: https://git.openjdk.org/jdk/pull/25016/files/75528109..88cd4016 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=00-01 Stats: 284 lines in 3 files changed: 277 ins; 5 del; 2 mod Patch: https://git.openjdk.org/jdk/pull/25016.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/25016/head:pull/25016 PR: https://git.openjdk.org/jdk/pull/25016
